Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Managing Yandex StoreDoc users

Written by
Updated at September 25, 2025

You can add and delete users as well as manage their individual settings and database access permissions.

Getting a list of users

  1. Navigate to the folder dashboard and select Yandex StoreDoc.
  2. Click the name of the cluster you need and select the  Users tab.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To get a list of cluster users, run the following command:

yc managed-mongodb user list \
  --cluster-name <cluster_name>

You can get the cluster name with the list of clusters in the folder.

  1. Get an IAM token for API authentication and save it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Use the User.List method and send the following request, e.g., via cURL:

    curl \
  --request GET \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --url 'https://mdb.api.cloud.yandex.net/managed-mongodb/v1/clusters/<cluster_ID>/users'

    You can get the cluster ID with the list of clusters in the folder.

  3. View the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and save it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume the repository contents are stored in the ~/cloudapi/ directory.

  3. Use the UserService.List call and send the following request, e.g., via gRPCurl:

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/mongodb/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>"
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.mongodb.v1.UserService.List

    You can get the cluster ID with the list of clusters in the folder.

  4. View the server response to make sure your request was successful.

Creating a user

  1. Navigate to the folder dashboard and select Yandex StoreDoc.

  2. Click the name of the cluster you need and select the  Users tab.

  3. Click Create user.

  4. Enter the DB user name and password.

    Note

    The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.

    The password must be between 8 and 128 characters.

  5. Configure the roles for the user:

    1. Click Add database and select the database where you want to grant a role.
    2. Add roles using .

    You can grant multiple roles to a user in different databases.

  6. Click Create.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To create a user in a cluster:

  1. View the description of the CLI command to create s user:

    yc managed-mongodb user create --help

  2. Specify the user properties in the create command:

    yc managed-mongodb user create <username> \
  --cluster-name <cluster_name> \
  --password <user_password> \
  --permission database=<DB_name>,role=<role>,role=<other_role>,... \
  --permission database=<other_DB_name>,role=<role>,...

    Note

    The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.

    The password must be between 8 and 128 characters.

    You can get the cluster name with the list of clusters in the folder.

  1. Open the current Terraform configuration file that defines your infrastructure.

    For more information about creating this file, see this guide.

  2. Add the yandex_mdb_mongodb_user resource:

    resource "yandex_mdb_mongodb_user" "<username>" {
  cluster_id = <cluster_ID>
  name       = "<username>"
  password   = "<password>"
  permission {
    database_name = "<DB_name>"
    roles         = [ "<list_of_user_roles>" ]
  }
}

    Where database_name is the name of the DB you want to grant access to.

    Note

    The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.

    The password must be between 8 and 128 characters.

  3. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider article.

  1. Get an IAM token for API authentication and save it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Use the User.create method and send the following request, e.g., via cURL:

    curl \
  --request POST \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --header "Content-Type: application/json" \
  --url 'https://mdb.api.cloud.yandex.net/managed-mongodb/v1/clusters/<cluster_ID>/users' \
  --data '{
            "userSpec": {
              "name": "<username>",
              "password": "<user_password>",
              "permissions": [
                {
                  "databaseName": "<DB_name>",
                  "roles": [
                   "<role_1>", "<role_2>", ..., "<role_N>"
                  ]
                }
              ]
            }
          }'

    Where userSpec lists the new DB user settings:

    • name: Username.

    • password: User password.

      Note

      The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.

      The password must be between 8 and 128 characters.

    • permissions: User permissions settings:

      • databaseName: Name of the database the user gets access to.
      • roles: Array of user roles. Each role is provided as a separate string in the array. For a list of possible values, see Users and roles.

      For each database, add a separate element with permission settings to the permissions array.

    You can get the cluster ID with the list of clusters in the folder.

  3. View the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and save it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume the repository contents are stored in the ~/cloudapi/ directory.

  3. Use the ClusterService.Create call and send the following request, e.g., via gRPCurl:

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/mongodb/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>",
        "user_spec": {
          "name": "<username>",
          "password": "<user_password>",
          "permissions": [
            {
              "database_name": "<DB_name>",
              "roles": [
                 "<role_1>", "<role_2>", ..., "<role_N>"
              ]   
            }
          ]
        }
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.mongodb.v1.UserService.Create

    Where user_spec represents the new DB user settings:

    • name: Username.

    • password: User password.

      Note

      The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.

      The password must be between 8 and 128 characters.

    • permissions: User permission settings:

      • database_name: Name of the database the user gets access to.
      • roles: Array of user roles. Each role is provided as a separate string in the array. For a list of possible values, see Users and roles.

      For each database, add a separate element with permission settings to the permissions array.

    You can get the cluster ID with the list of clusters in the folder.

  4. View the server response to make sure your request was successful.

Changing users

  1. Navigate to the folder dashboard and select Yandex StoreDoc.

  2. Click the name of the cluster you need and select the  Users tab.

  3. To edit a user password, click in the row with the user you need and select Change password.

    Note

    The password must be between 8 and 128 characters.

  4. To change the user's roles:

    1. Click in the row with the user you need and select Configure.
    2. To add a role, click next to the appropriate database and select the role.
    3. To delete a role, click next to the role name.

  5. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To change a user's password or list of roles:

  1. See the description of the CLI's update user command:

    yc managed-mongodb user update --help

  2. Specify the user properties in the update command:

    yc managed-mongodb user update <username> \
  --cluster-name <cluster_name> \
  --password <user_password> \
  --permission database=<DB_name>,role=<role>,role=<other_role>,... \
  --permission database=<other_DB_name>,role=<role>,...

    Note

    The password must be between 8 and 128 characters.

To grant a user access to a database with a defined list of roles:

  1. View a description of the CLI command to grant users permissions:

    yc managed-mongodb user grant-permission --help

  2. Specify the properties of the user in the grant permissions command:

    yc managed-mongodb user grant-permission <username> \
  --cluster-name <cluster_name> \
  --database <DB_name> \
  --role <list_of_roles_separated_by_commas>

To revoke user database access:

  1. View a description of the CLI command to revoke users' permissions:

    yc managed-mongodb user revoke-permission --help

  2. Specify the properties of the user in the revoke permissions command:

    yc managed-mongodb user revoke-permission <username> \
  --cluster-name <cluster_name> \
  --database <DB_name>

    This command denies the user all access to the specified database.

You can get the cluster name with the list of clusters in the folder, the DB name, with the list of databases in the cluster, and the user's name, with the list of users in the cluster.

  1. Open the current Terraform configuration file that defines your infrastructure.

    For more information about creating this file, see this guide.

  2. Find the yandex_mdb_mongodb_user resource.

  3. Update the password field value and field values under permission:

    resource "yandex_mdb_mongodb_user" "<username>" {
  cluster_id = <cluster_ID>
  name       = "<username>"
  password   = "<new_password>"
  permission {
    database_name = "<DB_name>"
    roles         = [ "<new_list_of_user_roles>" ]
  }
}

    Note

    The password must be between 8 and 128 characters.

  4. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  5. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider article.

  1. Get an IAM token for API authentication and save it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Use the User.Update method and send the following request, e.g., via cURL:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the updateMask parameter as a single comma-separated string.

    curl \
  --request PATCH \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --header "Content-Type: application/json" \
  --url 'https://mdb.api.cloud.yandex.net/managed-mongodb/v1/clusters/<cluster_ID>/users/<username>' \
  --data '{
           "updateMask": "password,permissions.databaseName,permissions.roles",
           "password": "<user_password>",
           "permissions": [
             {
               "databaseName": "<DB_name>",
               "roles": [
                 "<role_1>", "<role_2>", ..., "<role_N>"
               ]
             }
           ]
         }'

    Where:

    • updateMask: List of parameters to update as a single string, separated by commas.

    • password: User password.

      Note

      The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.

      The password must be between 8 and 128 characters.

    • permissions: User permission settings:

      • database_name: Name of the database the user gets access to.
      • roles: Array of user roles. Each role is provided as a separate string in the array. For the list of possible values, see Users and roles.

    You can request the cluster ID with the list of clusters in the folder and the username, with the list of users in the cluster.

  3. View the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and save it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume the repository contents are stored in the ~/cloudapi/ directory.

  3. Use the ClusterService.Update call and send the following request, e.g., via gRPCurl:

    Warning

    The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the update_mask parameter as an array of paths[] strings.

    Format for listing settings
    "update_mask": {
    "paths": [
        "<setting_1>",
        "<setting_2>",
        ...
        "<setting_N>"
    ]
}

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/mongodb/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>",
        "user_name": "<username>",
        "update_mask": {
          "paths": [
            "password",
            "permissions.database_name",
            "permissions.roles"
          ]
        },
        "password": "<user_password>",
        "permissions": [
          {
            "database_name": "<DB_name>",
            "roles": [
              "<role_1>", "<role_2>", ..., "<role_N>"
            ]
          }
        ]
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.mongodb.v1.UserService.Update

    Where:

    • update_mask: List of parameters to update as a single string, separated by commas.

    • password: User password.

      Note

      The username may contain Latin letters, numbers, hyphens, and underscores but must begin with a letter, number, or underscore.

      The password must be between 8 and 128 characters.

    • permissions: User permission settings:

      • database_name: Name of the database the user gets access to.
      • roles: Array of user roles. Each role is provided as a separate string in the array. For the list of possible values, see Users and roles.

    You can request the cluster ID with the list of clusters in the folder and the username, with the list of users in the cluster.

  4. View the server response to make sure your request was successful.

Deleting a user

  1. Navigate to the folder dashboard and select Yandex StoreDoc.
  2. Click the name of the cluster you need and select the  Users tab.
  3. Click in the row with the user you need and select Delete.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To delete a user, run this command:

yc managed-mongodb user delete <username> \
  --cluster-name <cluster_name>

You can get the cluster name with the list of clusters in the folder.

  1. Open the current Terraform configuration file that defines your infrastructure.

    For more information about creating this file, see this guide.

  2. Delete the yandex_mdb_mongodb_user resource with the user description.

  3. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see this Terraform provider article.

  1. Get an IAM token for API authentication and save it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Use the User.Delete method and send the following request, e.g., via cURL:

    curl \
  --request DELETE \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --url 'https://mdb.api.cloud.yandex.net/managed-mongodb/v1/clusters/<cluster_ID>/users/<username>'

    You can request the cluster ID with the list of clusters in the folder and the username, with the list of users in the cluster.

  3. View the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and save it as an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume the repository contents are stored in the ~/cloudapi/ directory.

  3. Use the ClusterService.Delete call and send the following request, e.g., via gRPCurl:

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/mongodb/v1/user_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "cluster_id": "<cluster_ID>",
        "user_name": "<username>"
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.mongodb.v1.UserService.Delete

    You can request the cluster ID with the list of clusters in the folder and the username, with the list of users in the cluster.

  4. View the server response to make sure your request was successful.

Examples

Add a user with read-only permissions

To add a new user (user2) to an existing cluster with read-only access to the db1 database:

  1. Navigate to the folder dashboard and select Yandex StoreDoc.
  2. Click the name of the cluster you need and select the  Users tab.
  3. Click Create user.
  4. Enter user2 for username and enter a password (from 8 to 128 characters).
  5. Select the db1 database from the Add database drop-down list.
  6. Select the read role from the drop-down list next to the db1 database.
  7. Click Create.

Run this command:

yc managed-mongodb user create user2 \
  --cluster-name <cluster_name> \
  --password <user_password> \
  --permission database=db1,role=read

  1. Open the current Terraform configuration file that defines your infrastructure.

    For more information about creating this file, see this guide.

  2. Add the yandex_mdb_mongodb_user resource:

    resource "yandex_mdb_mongodb_user" "user2" {
  cluster_id = <cluster_ID>
  name       = "user2"
  password   = "<password>"
  permission {
    database_name = "db1"
    roles         = [ "read" ]
  }
}

  3. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see the Terraform provider documentation.

Modify user permissions

To grant read-only access to the db2 database to an existing cluster1 user named user1:

  1. Navigate to the folder dashboard and select Yandex StoreDoc.
  2. Click cluster1 and select the Users tab.
  3. Click in the row with user1 and select Configure.
  4. Click Add database and select db2 as your database.
  5. Click and select the read role from the drop-down list next to the db2 database.
  6. Click Save.

Run this command:

yc managed-mongodb user grant-permission user1 \
  --cluster-name cluster1 \
  --database db2 \
  --role read

  1. Open the current Terraform configuration file that defines your infrastructure.

    For more information about creating this file, see this guide.

  2. Find the yandex_mdb_mongodb_user resource.

  3. Add the permission section:

    resource "yandex_mdb_mongodb_user" "user1" {
  cluster_id = <cluster_ID>
  name       = "user1"
  password   = "<password>"
  permission {
    database_name = "db2"
    roles         = [ "read" ]
  }
}

  4. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  5. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

For more information, see the Terraform provider documentation.

Previous
Managing databases
Next
Managing shards